Ukraine and the state of play in Enterprise Security

SAP security

When it comes to cybersecurity, enterprise tech can no longer afford to ignore the threat of hostile nation states.


Cyber insecurity was the big story of 2021.

Headline-grabbing incidents included the Colonial Pipeline attack on US oil infrastructure, and the Kaseya ransomware breach by Russia-affiliated REvil which affected up to 1,500 organisations using the desktop management software.

In the world of enterprise tech there was one hack which may have flown under the radar as last year drew to a close. In November, at least nine global organisations and 11,000 servers were hit in a breach of the cloud software company Zoho. 

Blamed for the attack was Emissary Panda, also known as APT27, a group thought by many to be supported by the Chinese government. Amongst its likely victims was The International Committee of the Red Cross (ICRC), with servers hosting personal data belonging to more than 515,000 people worldwide compromised in the attack.

According to a post on the ICRC website, people affected included missing people and their families, detainees and other people receiving its services ‘as a result of armed conflict, natural disasters or migration.’

It remains to be seen whether the humanitarian mainstay was attacked for political reasons, or if it was simply a large sitting duck out of many atop of a security vulnerability in Zoho software. But the question remains worth asking as enterprise tech can no longer afford to not think about hostile nation states when looking at the state of their cybersecurity, especially in light of the ongoing Ukraine conflict.

“In the current environment, attackers are more likely to be politically motivated, with active groups potentially sponsored by nation states, and better funded groups carrying out more organised and sophisticated attacks,” warns Tom Venables, practice director of application and cyber security at security specialists Turnkey Consulting.

“The situation in Ukraine shows that bad actors can be linked to political trends as well as to more straightforward criminal activity,” agrees Keegan Keplinger, head of research at eSentire’s Threat Research Unit “These groups can be linked to nation states and, as long as they don’t target companies or organisations in their home countries, are tolerated or even encouraged in their actions.”

The Ukraine invasion has seen increased attacks by state-sponsored cyber criminals and hacktivists targeting government agents, Tom Venables

For Venables, Ukraine demonstrates that global situations can “escalate rapidly” and further reinforces the need for making robust security a matter of good business practice in ERP.

“Incorporating proper security measures and procedures in the ERP landscape is crucial in allowing effective threat detection, incident response and recovery across business operations and supply chains,” he says. “These measures strengthen a company’s resilience and business continuity management when it comes to unpredictable cyber threats, both external and internal.”


Massive attack incoming

The outlook for this year suggests that if 2021 was bad, then things can only get worse in 2022. As the Ukraine invasion rumbles on, enterprises should likely expect an opening of the floodgates in global cyber insecurity.

“There has been, and continues to be, anticipation that the cyber element of this confrontation will spill over borders with Russian state actors targeting organisations in the West in retaliation for the economic sanctions imposed on them,” says Oliver Tavakoli, CTO of Vectra, a startup where artificial intelligence (AI) meets cybersecurity.

“Additionally, unlike traditional wars with some semblance of a central command on each side, a number of freelance actors on both sides of the conflict have entered the fray and in such circumstances the selection of targets for attack is quite a bit less predictable than normal.”

“The Ukraine invasion has seen an increase in attacks by state-sponsored cyber criminals and hacktivists targeting government agents and critical infrastructure operators in Russia, Ukraine and beyond,” agrees Venables. “Third parties in the supply chains of either of these types of enterprise are also a target, so while an organisation may not directly experience a cyberattack, there is always a risk of collateral damage to its supply chain and operations.”

The threat to enterprise is real, therefore. But so are the solutions. According to Venables, a key step is to ensure that all ERP security software and solutions are up to date. As attacks like the Zoho breach showed, cyber criminals often use reverse-engineering patches to “reveal vulnerabilities and take advantage of organisations that have not updated quickly enough”. 


The situation in Ukraine shows that bad actors can be linked to political trends as well as more straightforward criminal activity,

Keegan Keplinger

The security expert also advocates companies begin to get clued up on the REvils and Emissary Pandas of this world instead of vice versa.

“Defending against a sophisticated threat group takes knowledge of the adversary and a risk-based approach in order to prioritise spending in the areas that are most likely to be exploited; a cyber threat intelligence (CTI) assessment exercise provides the information required to do this.

“CTI assessments need to look externally to understand which groups are likely to target the organisation and the attack methods they use. They also need to take an internal view to identify the controls that the organisation currently operates. From there a gap analysis can be completed to expose vulnerabilities in the organisation’s defence; with this insight, investment in defensive measures can be prioritised.”

For eSentire’s research head, preparing effective security strategies should also involve implementing strong security measures.

“This covers prevention, but also how to respond when a potential attack takes place to effectively counter further impact of an incident,” Keplinger tells ERP Today. “If attacks on company systems do take place and succeed in getting a foothold in the network, then fast responses are required to eject attackers before they can maximise their impact.”


Signal to noise ratio

AI can also accelerate company defences in the current climate. While the tech may seem far-flung, overhyped or a mixture of both, AI is already becoming commonplace in cybersecurity solutions, to the extent where many clients expect it to be a key component in a service.

Tavakoli points to the tools offered for free by Vectra in response to the Ukraine assault. As donated to any hybrid or multi-cloud enterprises that may be targeted as a result of the conflict, the vendor’s offerings include AI-driven detection of Microsoft Azure AD, AWS and M365 environments for signs of attack activities.

“We are simply offering the tools free of charge to organisations which might be impacted by the war and who may either not be able to afford the tools or whose security practices are less mature and where the need to rapidly get ‘shields up’ is understood.

“The purpose of the free tools is to help organisations who believe they may be targeted to better prepare for an attack. Some of the tools identify weak spots in an organisation’s defences which should be shored up before an attack begins. Others help identify elements of attacks that are in progress and enable an organisation to respond to the attack before it does real harm.”

Any complimentary protection is likely to be appreciated in Ukraine, as long as it works. For enterprises, functionality is the object of the cyber game, but that shouldn’t mean overlooking the exact contents of a solution, for example the AI in Vectra’s wares. 

“One of the key problems in today’s complex IT environments is that they are ever changing and relatively noisy,” says Tavakoli. “AI and machine learning (ML) are techniques that when correctly applied can help sort the signal out from the noise. In this context, it is important not to just find what is different – many AI approaches do this  – as change in enterprise networks is constant. Instead, our approach is to look for the methods underlying the various attacker methods.”

Venables also appreciates AI for how it can be used to allow automated governance and monitoring across all business operations and elements, including access and identity management, remote function call (RFC) connections, and threat intelligence to monitor log anomalies.

“AI can bring numerous benefits to organisations. As our networked environments expand and become more complex, it can be leveraged to predict, prevent, detect and respond to cybersecurity threats through real-time data analysis from a wide variety of sources. The behaviour analysis used by AI allows organisations to enhance their threat detection and prevention process and reduce the likelihood of zero-day attacks occurring.”

ERP Today though is warned by the expert that AI is only beneficial if used and configured correctly.

“It is not a panacea. There is also a perception that AI systems are extremely difficult to reverse-engineer and are therefore inherently secure. However, this is a false narrative.

“The sheer volume of sensitive and personal data analysed by AI systems is vulnerable to privacy and protection threats and we now see attackers reverse-engineer AI systems and access the data it has collected or been trained on,” Venables adds.


Know your enemy

It’s also worth remembering that cyber criminals  – and hostile states  – will also weaponise AI to enhance their attacks on networks and systems. As ever it’s worth knowing your enemy, and to do so sooner rather than later.

“The capability of the Russian state in the SolarWinds hack and many others over the years, and Russian proxies in the form of many criminal ransomware gangs, was clearly a consideration as it proves the capabilities of the adversary,” explains Tavakoli on Vectra’s position in the wake of Ukraine.

“The last couple of years have certainly been a wake-up call that every organisation needs to take cybersecurity more seriously and increase its resilience to attacks. From SolarWinds to rampant ransomware perpetrated by well organised gangs, to impactful vulnerabilities like Log4j, the situation remains incredibly fluid. Now add to this the recent war in Ukraine. 

“While most organisations have improved their defensive capabilities over the past two years, many are also coming to the conclusion that the improvements are not occurring fast enough, and are redoubling their efforts to become more resilient to attacks by advanced adversaries.”